Tagged: #password

On March 17th, the U.S. Attorney’s Office filed charges in U.S. Federal Court (Western District Washington) against Russian national Alex A. Kibkalo for stealing trade secrets from software giant Microsoft under The 1996 Economic Espionage Act (18 U.S.C. § 1832). Although U.S. v. Kibkalo (14-mj-00114) has yet to be ruled on, and despite involving a large multi-national business like Microsoft, this case highlights several cross-border trade secret protection issues all internationally-focused businesses should consider.

Facts. To understand these trade secret protection issues, it is important to first understand the alleged facts of this case. According to the U.S. Attorney’s Complaint, Kibkalo was a Microsoft employee, working as software architect in Microsoft’s Lebanon office. He allegedly signed a non-disclosure agreement (“NDA”) at the beginning of his employment.

Between July and August 2012, Mr. Kibkalo allegedly established a virtual machine on a computer server at Microsoft’s Redmond, Washington headquarters to upload unreleased versions of Microsoft’s software updates and a software development kit (collectively, “Content”) to his personal cloud storage account. The Content was secured on Microsoft’s internal system by Microsoft’s internal security program that included limited facility and electronic system access points, facility monitoring, and unique identifying signature technology to track downloaded proprietary information from the internal system. Those who accessed content on Microsoft’s internal electronic system were also required to accept Microsoft’s terms of service that included warnings concerning the proprietary nature of content on the internal system as well as reminders to Microsoft employees and others of their non-disclosure obligations pertaining to proprietary information on the system.

Once Mr. Kibkalo allegedly downloaded the Content, he allegedly transmitted links to the Content to a French technology blogger whose actual geographic location was unknown. Microsoft became aware of alleged transmission through an outside source who was contacted by the blogger about the Content. Microsoft subsequently monitored the blogger’s communication through the blogger’s Microsoft Windows Live Messenger account. An examination of the blogger’s Messenger communications and emails allegedly verified the transmission and unique identifiers in the Content.

Lessons To Be Learned. Although this fact pattern is by no means novel, it does reveal cross-border trade secret protection issues all companies should consider in order to ensure their trade secrets are protected under U.S. and foreign trade secret laws.

So what protection issues need to be considered?

Worker Protection Measures. Kibkalo emphasizes that establishing trade secret protections through contractual provisions with contractors and employees is essential for businesses to protect their proprietary information, both at home and abroad. Under U.S. law (18 U.S.C. § 1839(3)) and international legal standards (Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) – Art. 39.2(c)), businesses who wish for their proprietary information to qualify for trade secret protection must take “reasonable” measures to protect such information from public disclosure. Often, this requires that a business have their employees, contractors or any other person to whom they disclose the business’ proprietary information sign a NDA (or similar agreement) prohibiting such persons from disclosing the proprietary information to others.See MAI Sys. Corp. v. Peak Computer, Inc., 991 F.2d 511, 521 (9th Cir. 1993).

Assuming Microsoft had an effective NDA executed with Mr. Kibkalo under U.S. law, Microsoft would likely be in a position to enforce trade secret protections in the Content under U.S. law.

Any business, regardless of its geographical location or the location of its employees or contractors, can also take similar protective measures.

Internal Security Measures. This case also highlights that international businesses need to establish internal security measures in order to effectively protect their proprietary information. Electronic and facility security measures, such as access restrictions, surveillance mechanisms have been found to be reasonable protection measures to help businesses qualify for trade secret protection. See U.S. v. Chung, 659 F.3d 815, 825 (9th Cir. 2011). As Microsoft attests to maintaining similar security measures, such measures would likely help Microsoft to obtain trade secret protection for its Content.

It goes without saying that not all businesses can afford the same level of security protections as multinational businesses like Microsoft. Yet, simple and relatively inexpensive security measures such as password protections, locking of files and computer equipment, as well as posting confidential notices on proprietary information can effectively help any business to better qualify for trade secret protection, both in the U.S. and abroad.

Online Monitoring Measures. Lastly, this case highlights the importance of online surveillance and tracking measures that businesses should consider acquiring to protect their proprietary information throughout the globe. Although generally not required to obtain trade secret protection under U.S. and/or foreign laws, the monitoring of suspected persons or entities who may be misappropriating trade secrets (*provided they are done so in compliance with applicable laws and regulations), as well as tracking software, are both effective tools to identify and prevent trade secret misappropriation. Microsoft would not have been able to determine that Mr. Kibalko had allegedly stolen the Content in the U.S. and allegedly transmitted it to the blogger outside of the U.S. without its unique identifier technology.

Granted, not all businesses have the same circumstances that allowed Microsoft to find out about the blogger and Mr. Kibalko’s alleged activities (e.g., outside sources, access to Messenger and email accounts, etc.), nor the available funds to conduct Microsoft’s extensive online surveillance activities. Yet, there are many (legal) monitoring services, investigating agencies, and identifying software products on the market that can help businesses better monitor misappropriating conduct both at home and abroad.

What’s The Takeaway? It remains to be seen how U.S. v. Kibkalo will be decided. However, this ongoing case shows that all internationally-focused businesses can develop sound practices and procedures to ensure their proprietary information is protected throughout the world. By establishing effective worker protection measures, internal security measures, as well as online monitoring measures, businesses can better protect their trade secrets from being misappropriated both at home and abroad.